Observium: Pre-auth and security questions
Tom,
Thank you for your input. This has been a bit of a learning experience for me. After researching and playing around with Apache, I was able to enable basic authentication using htpasswd.
When I attempt to access Observium, I'm prompted for credentials as expected.
Once I login with the creds I've configured, I land at the Observium form based authentication page. I'm trying to pass the username and password provided to htpasswd, and send them to Observium on the backend. As you noted earlier, It seems like I should be able to do this with the remote user variable. However, I can't seem to get it to work.
I've listed my current virtual host config below.
I enabled a2enmod headers and restarted Apache with no luck. I'm curious if you know if there's something I'm missing. I'll keep digging and working away at this, but I thought I'd provide an update to the mailing list. Other users may find it helpful if we sort it out.
Many thanks,
<VirtualHost *:80> DocumentRoot /opt/observium/html/ CustomLog /opt/observium/logs/access_log combined ErrorLog /opt/observium/logs/error_log <Directory "/opt/observium/html/"> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/apache2/.htpasswd Require valid-user Options Indexes FollowSymLinks MultiViews AllowOverride All Order allow,deny allow from all
RewriteEngine on RewriteCond %{ENV:REMOTE_USER} (.+) RequestHeader set X-Forwarded-User %{ENV:REMOTE_USER}e
</Directory> </VirtualHost>
- NM
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of observium-request@observium.org Sent: Saturday, January 16, 2016 6:11 PM To: observium@observium.org Subject: observium Digest, Vol 66, Issue 96
Send observium mailing list submissions to mailto:observium@observium.org observium@observium.org
To subscribe or unsubscribe via the World Wide Web, visit http://postman.memetic.org/cgi-bin/mailman/listinfo/observium http://postman.memetic.org/cgi-bin/mailman/listinfo/observium or, via email, send a message with subject or body 'help' to mailto:observium-request@observium.org observium-request@observium.org
You can reach the person managing the list at mailto:observium-owner@observium.org observium-owner@observium.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of observium digest..."
Today's Topics:
1. Re: Observium: Pre-auth and security questions (Tom Laermans)
----------------------------------------------------------------------
Message: 1 Date: Sun, 17 Jan 2016 01:10:43 +0100 From: Tom Laermans < mailto:tom.laermans@powersource.cx tom.laermans@powersource.cx> To: Observium Network Observation System < mailto:observium@observium.org observium@observium.org> Subject: Re: [Observium] Observium: Pre-auth and security questions Message-ID: < mailto:569ADC03.1000002@powersource.cx 569ADC03.1000002@powersource.cx> Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hi Nate,
We support trusting Apache with the auth (ie mod_auth_kerb, mod_auth_ldap, htpasswd, etc) by using its supplied REMOTE_USER variable - this works with at least the LDAP and MySQL backends; if your SSO setup could fill in these fields, you should be good. This bypasses our login forms of course. I use SSO with Kerberos (AD) tickets, handled by mod_auth_kerb.
We also have an http-auth backend, but I don't think that will do what you want it to.
There's also a CAS backend, fairly new, I have no idea how to use it but I don't think it could work with your netscaler setup.
Tom
On 16/01/2016 23:52, Nate Mellendorf wrote:
Good evening everyone,
I?ve been trying to configure Observium with a forms based SSO solution.
My reasoning for this, is that I?d like to minimize the attack surface for Observium when published to the Internet.
As Observium supports groups, I thought it would be extremely beneficial for clients to view their throughput at anytime from anywhere.
I was curious if anyone in the community is using pre-authentication, or if you?re publishing Observium directly to the Internet.
I?m not as familiar with Apache and PHP, so hardening the service through pre-auth seemed like a good first step.
Unfortunately, I can?t quite get pre-auth to work. Observium uses forms based authentication, which is hard to capture on the platform I?m using.
Here?s a link, if you?re curious on how I?m trying to capture it:
http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb
http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb.
html
If I could get Observium to use basic authentication, I think I could get it to work. Do we know if this is possible? A better question, is pre-auth even necessary here?
Aside from HTTPS, iptables, firewalling, and locking down SSH/root, what other steps do you take to secure your Observium server? Do you think that allowing Internet access is unwise at this time?
Thank you for any input on insight into this. This is a concern of mine that I?m trying to address.
Your suggestions and opinions are very much appreciated.
Regards,
- NM
observium mailing list mailto:observium@observium.org observium@observium.org http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Hi Nate,
Did you set this option to true in your config:
$config['auth']['remote_user'] = FALSE; // Trust Apache server to authenticate user, READ DOCUMENTATION FIRST!!
Then it should likely just work...
Tom
On 2016-01-25 05:01, Nate Mellendorf wrote:
Tom,
Thank you for your input. This has been a bit of a learning experience for me.
After researching and playing around with Apache, I was able to enable basic authentication using htpasswd.
When I attempt to access Observium, I'm prompted for credentials as expected.
Once I login with the creds I’ve configured, I land at the Observium form based authentication page. I'm trying to pass the username and password provided to htpasswd, and send them to Observium on the backend. As you noted earlier, It seems like I should be able to do this with the remote user variable. However, I can’t seem to get it to work.
I’ve listed my current virtual host config below.
I enabled a2enmod headers and restarted Apache with no luck. I’m curious if you know if there’s something I’m missing.
I’ll keep digging and working away at this, but I thought I’d provide an update to the mailing list. Other users may find it helpful if we sort it out.
Many thanks,
<VirtualHost *:80>
DocumentRoot /opt/observium/html/
CustomLog /opt/observium/logs/access_log combined
ErrorLog /opt/observium/logs/error_log
<Directory "/opt/observium/html/">
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
Options Indexes FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
RewriteEngine on
RewriteCond %{ENV:REMOTE_USER} (.+)
RequestHeader set X-Forwarded-User %{ENV:REMOTE_USER}e
</Directory>
</VirtualHost>
- NM
-----Original Message----- From: observium [mailto:observium-bounces@observium.org] On Behalf Of observium-request@observium.org Sent: Saturday, January 16, 2016 6:11 PM To: observium@observium.org Subject: observium Digest, Vol 66, Issue 96
Send observium mailing list submissions to
observium@observium.org mailto:observium@observium.org
To subscribe or unsubscribe via the World Wide Web, visit
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
or, via email, send a message with subject or body 'help' to
observium-request@observium.org mailto:observium-request@observium.org
You can reach the person managing the list at
observium-owner@observium.org mailto:observium-owner@observium.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of observium digest..."
Today's Topics:
- Re: Observium: Pre-auth and security questions (Tom Laermans)
Message: 1
Date: Sun, 17 Jan 2016 01:10:43 +0100
From: Tom Laermans <tom.laermans@powersource.cx mailto:tom.laermans@powersource.cx>
To: Observium Network Observation System <observium@observium.org mailto:observium@observium.org>
Subject: Re: [Observium] Observium: Pre-auth and security questions
Message-ID: <569ADC03.1000002@powersource.cx mailto:569ADC03.1000002@powersource.cx>
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Hi Nate,
We support trusting Apache with the auth (ie mod_auth_kerb, mod_auth_ldap, htpasswd, etc) by using its supplied REMOTE_USER variable
- this works with at least the LDAP and MySQL backends; if your SSO
setup could fill in these fields, you should be good. This bypasses our login forms of course. I use SSO with Kerberos (AD) tickets, handled by mod_auth_kerb.
We also have an http-auth backend, but I don't think that will do what you want it to.
There's also a CAS backend, fairly new, I have no idea how to use it but I don't think it could work with your netscaler setup.
Tom
On 16/01/2016 23:52, Nate Mellendorf wrote:
Good evening everyone,
I?ve been trying to configure Observium with a forms based SSO solution.
My reasoning for this, is that I?d like to minimize the attack surface
for Observium when published to the Internet.
As Observium supports groups, I thought it would be extremely
beneficial for clients to view their throughput at anytime from anywhere.
I was curious if anyone in the community is using pre-authentication,
or if you?re publishing Observium directly to the Internet.
I?m not as familiar with Apache and PHP, so hardening the service
through pre-auth seemed like a good first step.
Unfortunately, I can?t quite get pre-auth to work. Observium uses
forms based authentication, which is hard to capture on the platform
I?m using.
Here?s a link, if you?re curious on how I?m trying to capture it:
http://fritsesblog.blogspot.com/2015/04/link-to-netscaler-form-sso-kb.
html
If I could get Observium to use basic authentication, I think I could
get it to work. Do we know if this is possible? A better question, is
pre-auth even necessary here?
Aside from HTTPS, iptables, firewalling, and locking down SSH/root,
what other steps do you take to secure your Observium server? Do you
think that allowing Internet access is unwise at this time?
Thank you for any input on insight into this. This is a concern of
mine that I?m trying to address.
Your suggestions and opinions are very much appreciated.
Regards,
- NM
observium mailing list
observium@observium.org mailto:observium@observium.org
http://postman.memetic.org/cgi-bin/mailman/listinfo/observium
Nate,
I know you probably have this working by now, but is the little "e" at the end of "%{ENV:REMOTE_USER}e" required or a typo ?
thanks
Peter Hine Senior Technical Support Engineer (Servers) FCoA ITS peter.hine@familycourt.gov.au
********************************************************************** The information contained in this e-mail (including any attachments) is for the exclusive use of the addressee. If you are not the intended recipient please notify the sender immediately and delete this e-mail. It is noted that legal privilege is not waived because you have read this e-mail. **********************************************************************
participants (3)
-
Nate Mellendorf -
Peter.Hine@familycourt.gov.au -
Tom Laermans